Worklet to remove local admin permission from an account on a domain joined device
I have been trying to figure out a way to remove local admin rights from users on domain joined devices with an Automox worklet but haven't made any progress.
The closest I got was with a worklet that would check to see if the current signed in user is a member of the local administrator's group, and if so, add them to the local Users group and delete them from the local administrator's group, but it always tries to move the NT AUTHORITY\SYSTEM account.
I need to do this on a large scale, so having to specify the account to move isn't viable. Has anyone tried to do something like this before? Any hints or suggestions?
The only domain account that should be in the local administrator's group would be “ Domain]\Domain Admins“
This is what I tried:
# Get the current logged-in user $currentUser = >System.Security.Principal.WindowsIdentity]::GetCurrent() $userName = $currentUser.Name
# Define the local groups $usersGroup = "Users" $adminGroup = "Administrators"
# Check if the user is already in the Users group $isInUsersGroup = (Get-LocalGroupMember -Group $usersGroup | Where-Object { $_.Name -eq $userName })
# Check if the user is in the Administrators group $isInAdminGroup = (Get-LocalGroupMember -Group $adminGroup | Where-Object { $_.Name -eq $userName })
# Add the user to the Users group if not already a member if (-not $isInUsersGroup) { try { Add-LocalGroupMember -Group $usersGroup -Member $userName Write-Host "$userName has been added to the $usersGroup group." } catch { Write-Host "Failed to add $userName to the $usersGroup group. Error: $_" } } else { Write-Host "$userName is already a member of the $usersGroup group." }
# Remove the user from the Administrators group if they are a member if ($isInAdminGroup) { try { Remove-LocalGroupMember -Group $adminGroup -Member $userName Write-Host "$userName has been removed from the $adminGroup group." Exit 0 } catch { Write-Host "Failed to remove $userName from the $adminGroup group. Error: $_" Exit 1 } } else { Write-Host "$userName is not a member of the $adminGroup group." Exit 0 }
This was the result:
Failed to add NT AUTHORITY\SYSTEM to the Users group. Error: The term 'Add-LocalGroupMember' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. NT AUTHORITY\SYSTEM is not a member of the Administrators group.
Page 1 / 1
Hi!
The command: Get-LocalGroupMember -Group “GroupName” is not recognized in the x86 powershell context, it needs to run in x64.
I had to accomplish something similar to what you’re trying to do in my environment, I used Automox to get it done. Here is my Remediation code, You might need to change a few things around for it to work in your environment. Let me know if you need help!
Thank you so much for this maalvarez!! Sorry for the delay, one question, do i have to use the script block in the evaluation code as well? I'm assuming I do since I'm using the “Get-LocalGroupMember” command which is what was unrecognized in the 32bit. However, I can't test the evaluation code using Automox and don't really know if running it locally in Powershell would have the same results.
Hi! You’re correct. You need to use the scriptblock in the evaluation as well.
What I do to test my evaluations is scan the devices, from my understanding automox run the evaluation code of a worklet everytime a device scans, if you see a green checkmark after your scan then your evaluation code exited with 0 and you know the device is compliant
or you can test locally, i use 32 bit ISE to test my evaluations, I just comment out the exit codes and use write-Host to view the output
I’m assuming that’s your evaluation code, I just tried it on my end and these were the results.
I did have to make a change to Line 4, I changed it so that it only displays my domain instatead on domain.local
Here is when I ran in my environement as evaluation
$scriptBlock = {
$ComputerName = $env:COMPUTERNAME $Domain = "DOMAIN" # Changed From DOMAIN.LOCAL
# Exclude local computer administrator accounts and Domain Admin Accounts. $excludedAccounts = @("$ComputerName\admin", "$ComputerName\Administrator", "$Domain\Domain Admins")
# Get the list of local administrators $localAdministrators = (Get-LocalGroupMember -Group "Administrators").Name
# The below two lines are not needed #Write-Host "Local Administrators:" #$localAdministrators
# Check if there are any accounts to remove if ($accountsToRemove.Count -gt 0) { #Write-Host "Accounts to remove:" #$accountsToRemove
# Go to remediation Exit 1 } else { #Write-Host "No additional accounts found in the Administrators group." # No remediation needed Exit 0 } } # Added missing } from scriptblock
I ran both the Evaluation and Remediation codes in local PS using comments and it worked exactly as expected. Thanks again, that was really a big help.